PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-46006 Linux CVE debrief

An integer overflow vulnerability exists in the Linux kernel's Nouveau DRM driver, specifically within the `nouveau_gem_pushbuf_reloc_apply()` function. The flaw arises from a 32-bit unsigned integer overflow during bounds checking of GPU pushbuffer relocations. The `reloc_bo_offset` field is defined as `__u32` in the UAPI header, and when added to the integer literal `4`, the operation is performed in 32-bit arithmetic due to C integer promotion rules. This allows the sum to wrap around before being compared against the `size_t` buffer size, potentially bypassing the bounds check and enabling out-of-bounds memory access. The vulnerability affects systems utilizing NVIDIA GPUs with the open-source Nouveau driver. The fix casts the operands to `u64` to ensure 64-bit arithmetic, preventing the overflow. Multiple stable kernel branches have received patches.

Vendor
Linux
Product
Unknown
CVSS
Unknown
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-27
Original CVE updated
2026-05-27
Advisory published
2026-05-27
Advisory updated
2026-05-27

Who should care

Organizations running Linux systems with NVIDIA GPUs using the Nouveau open-source driver, particularly multi-user or containerized environments where unprivileged users may access GPU resources. Cloud providers offering GPU instances with Nouveau driver support. Embedded systems and workstations utilizing NVIDIA graphics with kernel-level GPU access.

Technical summary

The vulnerability exists in `drivers/gpu/drm/nouveau/nouveau_gem.c` in the `nouveau_gem_pushbuf_reloc_apply()` function. The bounds check `if (r->reloc_bo_offset + 4 > nvbo->bo.base.size)` performs 32-bit unsigned arithmetic because `reloc_bo_offset` is `__u32` and `4` promotes to `unsigned int`. When `reloc_bo_offset` exceeds `UINT_MAX - 4`, the addition wraps to a small value, causing the comparison to incorrectly pass and allowing relocation operations beyond buffer boundaries. The fix casts to `u64`: `if ((u64)r->reloc_bo_offset + 4 > nvbo->bo.base.size)`. This is a classic integer overflow leading to insufficient bounds validation, exploitable for potential information disclosure or memory corruption in kernel space.

Defensive priority

medium

Recommended defensive actions

  • Apply kernel updates from distribution vendor when available, referencing the specific stable branch commits
  • Verify running kernel version against patched versions in stable branches (commits referenced in source)
  • Monitor NVIDIA GPU systems using Nouveau driver for unusual behavior or stability issues
  • Review system logs for GPU-related errors that may indicate exploitation attempts
  • Consider restricting unprivileged access to DRM/GPU interfaces where feasible via system hardening
  • Subscribe to Linux stable kernel announcements for security update notifications

Evidence notes

Vulnerability description confirms integer overflow in 32-bit arithmetic during relocation bounds checking. Five kernel.org stable branch commits provided as references. CVE published 2026-05-27 with 'Awaiting Analysis' status. No CVSS score or severity assigned by NVD at time of disclosure.

Official resources

2026-05-27